SwitchSniff

For those who think switched Ethernet environments are sniff-proof, the author offers this warning.

Detecting Sniffers

The reader is referred here to an
earlier article for the basics of sniffer detection. When
sniffers are working on switches, the chances of detecting them are
higher. In such a scenario the sniffer is not a passive device; it
performs certain activities by which it can be detected.

ARP spoofing can be detected using a program called ARP
Watch. It is used to monitor the ARP cache of a machine to see if
there is duplication. If there is, it could trigger alarms and lead
to detection of sniffers. It can be obtained at
online.securityfocus.com/data/tools/arpwatch.tar.Z

Conclusions

As is clear from the above sections, one method of sniffing
in a switched environment is using ARP spoofing, and the machine
that will most probably be ARP spoofed is the gateway. One thing
that can be done is to add the MAC address of the gateway
permanently to your ARP cache. This can be done by giving the -s
flag to the arp command. Read more about this on the arp man page.
Alternatively, you could use the /etc/ethers file for placing the
MAC addresses of the important machines to prevent spoofing of
those machines.

Final words of advice: Use encryption. Switch to SSH and SCP
instead of Telnet and FTP.

There are some good uses for this too. Example, if you wanted to find out who is using all your bandwidth, but your not a sysadmin. You can use ettercap to poison the ARP cache of your default route, which will also enable you to span multiple switches, then use something like etherape to see what's going on.

Some switched will crash and burn, so be carefull where you try this.

Has anyone tried to use this technique to for a good purpose. Example, an IDS, IP accounting, etc where you don't have control of the switch to setup a mirror port?

In half-duplex mode: This competing is defined by the NIC listening for traffic before it sends traffic. If it's connected to a switch, the switch only sends stuff to it, so the NIC is competing with the switch only instead of all the other computers. When the switch goes into 'hub' mode, the sending NIC, now has a bunch of traffic to dodge before it can send it's packet.

In full-duplex mode (just a guess): There is not collision detection, the NIC sends and receives at the same time, the overloaded switch would still send everything to everyone, but the sending would not interrupt the receiving and vice versa. I have heard of some switches that revert to half-duplex when overloaded.

Once a switch goes into a failopen mode, it behaves exactly like a hub. Computers connected to it will then have to compete for bandwidth like in case of a hub. In fact though it is not mentioned in the article, suspicious administrators should often look for such signs in a Network...

This of course assumes you are using managed switches, which cost many times more than unmanaged ones. I think you can still achieve good security results by using reservations for dhcp leases(better organization too), adding static entries in arp tables to places like file servers, DNS, and gateways, and using monitoring tools like arp watch. It isn't as effective as locking down things at the hardware level managed switch, but it should be enough for most environments and a hell of a lot cheaper if you don't require the added functionality the managed switch allows you...

Get rid of the tables. They're killing me. Try to print your page from Netscape, and you'll see what I mean. I had to paste the html into an editor and fix it just to print to. Validate your code against the W3C validator to see the things you need to fix.

Unfortunately, arpwatch isn't all that useful on networks that make use of DHCP. People who turn their computers off at night may have their IP addresses change the next day or over the weekend. My boss runs arpwatch where I work, and we just get flooded with reports of changing addresses because of this..

We set our IP lease time to 4 days. That way, unless someone is on vacation, the lease is is renewed and the IP remains the same, no matter how much the machine is turned on and off. This is so stable and dependable that we have older machines that have had the same IP address since DHCP was put in place (I can count on "old .94" to be surfing porn at work, for example).